security: harden release workflow and declare workflow_call secrets

- Replace actions/checkout v4.3.1 with v6.0.3 and switch from PERSONAL_ACCESS_TOKEN to GITHUB_TOKEN
- Fix script injection in Download CLI, Tag, Update POM, Build artifactId, and Publish steps by moving inputs to env vars
- Replace deprecated ::set-output with $GITHUB_OUTPUT in Tag step
- Update actions/setup-java v4.3.0 to v5.2.0
- Add explicit secrets declaration for workflow_call (MAVEN_GPG_PASSPHRASE, MAVEN_GPG_PRIVATE_KEY, OSSRH_TOKEN, OSSRH_USERNAME)
- Fix broken shell conditional in Build artifactId property step

Author: cx-luis-ventuzelos

.github/workflows/release.yml

@@ -41,6 +41,15 @@ on:
         required: false
         default: false
         type: boolean
+    secrets:
+      MAVEN_GPG_PASSPHRASE:
+        required: true
+      MAVEN_GPG_PRIVATE_KEY:
+        required: true
+      OSSRH_TOKEN:
+        required: true
+      OSSRH_USERNAME:
+        required: true
 
 permissions:
   contents: read
@@ -56,16 +65,18 @@ jobs:
       TAG_NAME: ${{ steps.set_tag_name.outputs.TAG_NAME }}
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           lfs: true
 
       - name: Download CLI
         if: inputs.cliTag
+        env:
+          INPUT_CLI_TAG: ${{ inputs.cliTag }}
         run: |
           chmod +x ./.github/scripts/update_cli.sh
-          ./.github/scripts/update_cli.sh ${{ inputs.cliTag }}
+          ./.github/scripts/update_cli.sh "$INPUT_CLI_TAG"
 
       - name: Extract CLI version
         id: extract_cli_version
@@ -92,19 +103,19 @@ jobs:
 
       - name: Tag
         id: set_tag_name
+        env:
+          INPUT_TAG: ${{ inputs.tag }}
         run: |
-          echo ${{ inputs.tag }}
-          tag=${{ inputs.tag }}
-          echo "RELEASE_VERSION=${{ inputs.tag }}" >> $GITHUB_ENV
-          message='${{ inputs.tag }}'
+          echo "$INPUT_TAG"
+          echo "RELEASE_VERSION=$INPUT_TAG" >> $GITHUB_ENV
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-          git tag -a "${tag}" -m "${message}"
-          git push origin "${tag}"
-          echo "TAG_NAME=${{ inputs.tag }}" >> $GITHUB_OUTPUT
+          git tag -a "$INPUT_TAG" -m "$INPUT_TAG"
+          git push origin "$INPUT_TAG"
+          echo "TAG_NAME=$INPUT_TAG" >> $GITHUB_OUTPUT
 
       - name: Set up Maven Central Repository
-        uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           java-version: '11'
           distribution: 'temurin'
@@ -115,19 +126,22 @@ jobs:
           gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
       - name: Update the POM version.
-        run: mvn -B versions:set -DnewVersion='${{ env.RELEASE_VERSION }}' --file pom.xml -DskipTests
+        run: mvn -B versions:set -DnewVersion="$RELEASE_VERSION" --file pom.xml -DskipTests
 
       - name: Build artifactId property
+        env:
+          INPUT_DEV: ${{ inputs.dev }}
+          INPUT_TAG: ${{ inputs.tag }}
         run: |
           prop=''
-          if [ ${{ inputs.dev }} = true ] && ![ "${{ inputs.tag }}" = "1.0.0-SNAPSHOT" ]; then
+          if [ "$INPUT_DEV" = "true" ] && [ "$INPUT_TAG" != "1.0.0-SNAPSHOT" ]; then
             prop='-Dast.wrapper.id=ast-cli-java-wrapper-dev'
           fi
           echo "AID_PROP=${prop}" >> $GITHUB_ENV
 
       - name: Publish package
         if: inputs.publish == true
-        run: mvn --batch-mode deploy -DskipTests ${{ env.AID_PROP }}
+        run: mvn --batch-mode deploy -DskipTests $AID_PROP
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}